{
	"id": "e1c39f87-f6e4-4773-bf9f-874027e8eed3",
	"created_at": "2026-04-06T00:13:51.103603Z",
	"updated_at": "2026-04-10T13:12:20.285499Z",
	"deleted_at": null,
	"sha1_hash": "48253f3e8272d2450377931f927e76cc9cea55db",
	"title": "A Deep Dive into Water Gamayun's Arsenal and Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8254145,
	"plain_text": "A Deep Dive into Water Gamayun's Arsenal and Infrastructure\r\nPublished: 2025-03-28 · Archived: 2026-04-02 11:58:10 UTC\r\nSummary\r\nWater Gamayun, which exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to\r\ncompromise systems and exfiltrate data, uses custom payloads and data exfiltration techniques. Businesses\r\ncan be severely impacted by such an attack as a result of data theft and operational disruption.\r\nThe threat actor deploys payloads primarily by means of malicious provisioning packages, signed .msi\r\nfiles, and Windows MSC files, using techniques like the IntelliJ runnerw.exe for command execution.\r\nEncryptHub Stealer variants, and backdoors such as SilentPrism and DarkWisp, are also used to gain\r\npersistence and steal data. These malware strains communicate with C\u0026C servers for command execution\r\nand data exfiltration, leveraging encrypted channels and anti-analysis techniques.\r\nOrganizations can protect themselves from threats like Water Gamayun through up-to-date patch\r\nmanagement and advanced threat detection technologies. Trend customers are protected from attempts to\r\nexploit CVE-2025-26633 via Trend Vision One™ rules and filters.\r\nWater Gamayun, a suspected Russian threat actor also known as EncryptHub and Larva-208, has been exploiting\r\nthe MSC EvilTwin (CVE-2025-26633), a zero-day vulnerability that was patched on March 11open on a new tab.\r\nIn the first installment of this two-part seriesopen on a new tab, Trend Research discussed in depth its discovery of\r\nan Water Gamayun campaign exploiting this vulnerability. In this blog entry, we will cover the various delivery\r\nmethods, custom payloads and techniques used by Water Gamayun to compromise victim systems and exfiltrate\r\nsensitive data.\r\nThe threat actor mainly delivers malicious payload through provisioning packages (.ppkg), signed Microsoft\r\nInstaller files (.msi) and Windows MSC files. We also identified a new living-off-the-land binary (LOLBin)\r\ntechnique in which the attacker utilizes the IntelliJ process launcher runnerw.exeopen on a new tab file to proxy\r\nthe execution of PowerShell commands on an infected system.\r\nThis campaign, attributed to Water Gamayun, appears to be under active development. These payloads are\r\ndesigned to maintain persistence and steal sensitive data and exfiltrate it to the attackers' command-and-control\r\n(C\u0026C) servers. In this research, we provide a detailed analysis of each malicious payload in this arsenal. Notably,\r\nwe gained access to the components and modules of the C\u0026C servers, enabling a comprehensive analysis of their\r\narchitecture, functionality, and evasion techniques.\r\nThe following is the identified arsenal associated with the Water Gamayun. All the details of these modules are\r\ncovered in this blog post.\r\nEncryptHub stealer\r\nDarkWisp backdoor\r\nSilentPrism backdoor\r\nMSC EvilTwin loader\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 1 of 41\n\nStealc\r\nRhadamanthys stealer\r\nIn the following section, we will explore the history of EncryptHub and conduct an analysis of the associated\r\nmalware.\r\nEncryptHub’s origins\r\nOn July 26, 2024, security researcher Germán Fernández tweetedopen on a new tab about a fake WinRAR website\r\ndistributing various types of malwares, including stealers, miners, hidden virtual network computing (hVNC), and\r\nransomware, as shown in Figure 1. These malicious tools were hosted on a GitHub repository named\r\n\"encrypthub,\" managed by a user called \"sap3r-encrypthub\" (Figure 2).\r\nFigure 2. EncryptHub Github repository\r\nSubsequently, on August 5, 2024, researchers published an analysisopen on a new tab detailing this attack vector,\r\nshedding light on the malicious activity associated with this campaign. The GitHub repository was later taken\r\ndown, and its contents were relocated to the encrypthub.(net/org) domain. The attackers transitioned their\r\noperations to this domain, utilizing it to both host the malware and manage their command-and-control (C\u0026C)\r\nserver infrastructure.\r\nAt the time of our research, the encrypthub.(net/org) domain was no longer operational. During our investigation,\r\nwe identified a new and active domain hosted at 82[.]115[.]223[.]182. Usually, the server is active for a few days\r\nbefore going down, and then a new one is deployed to replace it. We list these C\u0026C servers in the Indicators of\r\nCompromise (IOC) section at the end of this blog entry.\r\nMSI malware distribution vector\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 2 of 41\n\nName\r\nDingTalk_v7.6.38.122510801.msi\r\nQQTalk.msi\r\nVooV Meeting.msi\r\nMD5\r\nabaa46bc704842d6cc6f494c21546ae6\r\n87792cf4bd370f483a293a23c4247c50\r\ne59a025f9310d266190b91f5330fde8d\r\nSHA-1\r\n87c46845f57dc9ca8136b730c08b5b5916ca0ad3\r\na225bee48074feac53c7cb2f3929a41f7b4a71d3\r\nffb72adff6e099a9deb418c5d40abd8cf9b12c42\r\nSHA-256\r\ncbb84155467087c4da2ec411463e4af379582bb742ce7009156756482868859c\r\n725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f\r\ndb3fe436f4eeb9c20dc206af3dfdff8454460ad80ef4bab03291528e3e0754ad\r\nSize\r\n4.01 MB (4205056 bytes)\r\n4.06 MB (4259328 bytes)\r\n4.09 MB (4291584 bytes)\r\nFile type MSI\r\nTable 1. MSI malware\r\nThe MSI (Microsoft Installer) file is designed to execute a PowerShell downloader, which downloads and runs the\r\nnext-stage payload on an infected system.\r\nThe threat actor is taking advantage of the Custom Action feature in the MSI package format to run the\r\nPowerShell script.  The CustomAction table includes third-party libraries like aicustact.dll and\r\nPowerShellScriptLauncher.dll, indicating that the MSI was likely created using the \"Advanced Installer\"\r\napplication. The malicious script is embedded in the AI_DATA_SETTER custom action within the\r\nCustomActionData field (Figure 3). \r\nFigure 3. Malicious MSI custom action\r\nAI_DATA_SETTER is a Type 51 custom action, which is used to dynamically set property values during the\r\ninstallation process. The embedded script is executed by the PowerShellScriptInline custom action, which is\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 3 of 41\n\nexported from the PowerShellScriptLauncher.dll library. This action retrieves the PowerShell code from the\r\nCustomActionData field and executes it during runtime.\r\nFigure 4. MSI execution flow\r\nSilentPrism backdoor\r\nName worker.ps1\r\nMD5 f0df469c3459a6a3b98b7b69b07bf61b\r\nSHA-1 b38a0478aefa9d9d77282dd82ada51d7a47fe6f5\r\nSHA-256 983506186590f7118cb507d29f12f163afb536a03e6d0f4fb441df8afe49ede1\r\nSize 13241 bytes\r\nFile type PowerShell\r\nTable 2. SilentPrism\r\nSilentPrism is a backdoor malware designed to achieve persistence, dynamically execute shell commands, and\r\nmaintain unauthorized remote control of compromised systems (Figure 5). It implements persistence mechanisms\r\ndifferently based on user privileges: for non-administrative users, it leverages the Windows registry to create auto-run entries using mshta.exe combined with VBScript to download and execute remote payloads; for administrative\r\nusers, it deploys scheduled tasks with similar execution methods. SilentPrism retrieves additional payloads and\r\ninstructions from a C\u0026C server, ensuring modular functionality.\r\nThe malware communicates with its C\u0026C server using encrypted channels, employing AES encryption and\r\nBase64 encoding to obfuscate data. Commands received are decrypted and executed in various ways, including\r\ndirect PowerShell script execution, dynamic script block creation, or job-based execution. Each task is tracked\r\nusing unique identifiers, allowing the malware to monitor execution states and return results to the server.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 4 of 41\n\nSilentPrism incorporates anti-analysis techniques such as virtual machine detection and randomized sleep\r\nintervals (ranging from 300 to 700 milliseconds) between operations, making its behavior less predictable.\r\nAdditionally, it continuously polls the C\u0026C server for commands, enabling operators to dynamically control\r\ninfected systems. \r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 5 of 41\n\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 6 of 41\n\nFigure 5. SilentPrism execution logic\r\nIn Figure 6, we show the network traffic generated by an infected system during its registration and data\r\nexfiltration process. Figure 7 shows the decrypted data sent by the malware.\r\nFigure 6. Exfiltrate encrypted collected information\r\nFigure 7. Sample of the decrypted collected information\r\nThe script enters a polling cycle with randomized sleep intervals (300-700 milliseconds) where it transmits the\r\nsystem’s Universally Unique Identifier (UUID) to a predefined endpoint. Upon receiving non-wait responses, the\r\nscript deserializes JSON payloads containing command instructions, implements job management logic to track\r\nexecution status, and utilizes PowerShell's scriptblock creation mechanism with Invoke-Expression (iex) to\r\nexecute arbitrary commands received from the C\u0026C server.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 7 of 41\n\nThe script leverages PowerShell's Start-Job functionality to run commands asynchronously, allowing the malware\r\nto execute multiple commands simultaneously without blocking the main communication loop. Completed job\r\noutputs are encrypted and transmitted back to the server. The code snippet in Figure 8 shows the SilentPrism\r\nbackdoor beaconing and command execution logic.\r\nFigure 8. SilentPrism command execution logic\r\nMSC EvilTwin loader\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 8 of 41\n\nName\r\nminer.ps1\r\nrunner.ps1\r\nMD5\r\n239e8a3ee1fafe452d0b59eadb32247b\r\n99a80820ae6dc60c9e9307e6ed8ef211\r\nSHA-1\r\n1377a69ae519d1cf000fa51869454e31ba92056d\r\n2e4ae2af76c6239eb4191853221b4a40139cc122\r\nSHA-256\r\n0ac748baaad6017e331a8d99aae9e5449a96ba76fb7374f5d8c678ae52b7db9f\r\nf381a3877028f29ec7865b505b5c85ce77d4947d387d3f30071159fa991f009a\r\nSize\r\n276 KB (282803 bytes)\r\n276 KB (282808 bytes)\r\nFile type PowerShell\r\nTable 3. MSC EvilTwin loader\r\nThe MSC EvilTwin loader (Figure 9) represents a novel approach (CVE-2025-26633) to malware deployment by\r\nleveraging specially crafted Microsoft Saved Console (.msc) files. The MSC EvilTwin loader creates two\r\ndirectories: C:\\Windows \\System32\u003cspace\u003e\\ and C:\\Windows\u003cspace\u003e\\System32\\en-US. These directories mimic\r\nlegitimate system paths to give credibility to the files placed within them. The loader contains two Base64-\r\nencoded payloads, referred to as decodedBytesOriginal and decodedBytesFakes.\r\nThe decodedBytesOriginal variable contains a decoy XML configuration .msc file, while the decodedBytesFakes\r\nvariable contains a crafted .msc file with a placeholder {htmlLoaderUrl}. This placeholder is later replaced with\r\nthe URL https://82[.]115[.]223[.]182/encrypthub/ram/, which contains PowerShell commands.\r\nThe loader writes the decoy .msc file to C:\\Windows \\System32\\WmiMgmt.msc and the malicious .msc file to\r\nC:\\Windows \\System32\\en-US\\WmiMgmt.msc. The {htmlLoaderUrl} placeholder in the malicious file is replaced\r\ndynamically with the specified URL (Figure 10).\r\nThe loader then executes the malicious .msc file using Start-Process. This execution downloads and runs a\r\nPowerShell script from the specified URL to deliver the next-stage payload. Afterward, the loader introduces a 30-\r\nsecond delay using the Start-Sleep command, likely to ensure successful execution and avoid detection.\r\nFinally, the loader performs a cleanup operation by removing the created directories and files (C:\\Windows\r\n\\System32\\, C:\\Windows \\System32\\en-US, and C:\\Windows) to minimize forensic traces.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 9 of 41\n\nFigure 9. MSC EvilTwin loader main logic\r\nFigure 10. Execute code hosted on C\u0026C server via MMC.exe’s view object method\r\nExecuteShellCommand\r\nIn runner.ps1 (Table 3), the malware downloads and deploys the Rhadamanthys stealer onto an infected system.\r\nThe file ram.exe (SHA256: bad43a1c8ba1dacf3daf82bc30a0673f9bc2675ea6cdedd34624ffc933b959f4) serves as\r\nthe Rhadamanthys loader, which is responsible to install and activate the Rhadamanthys stealer on the\r\ncompromised machine.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 10 of 41\n\nDarkWisp backdoor analysis\r\nName Encrypt.ps1\r\nMD5 42b55615cbaa014f246097bd904d7ff2\r\nSha256 d150d8d8bfa651c0e08a10323ecb0bccf346a35bd1bad19f89a5338acd8a88b3\r\nSHA-1 f16e0dac597de903a4c6842184770ba5618275a0\r\nSize 24.90 KB (25495 bytes)\r\nFile type PowerShell\r\nTable 4. DarkWisp backdoor\r\nTo achieve persistence on infected systems, Water Gamayun employs two distinct backdoors in their campaigns.\r\nIn earlier campaigns with encrypthub[.]net/org, they utilized the SilentPrism backdoor, a tool designed for\r\nstealthy access and control. In their latest campaign, we identified a new backdoor, which we have named\r\nDarkWisp.\r\nDarkWisp is a PowerShell-based backdoor and reconnaissance utility designed for unauthorized system access\r\nand intelligence gathering (Table 4). It enables attackers to exfiltrate sensitive data while maintaining persistent\r\ncontrol over the compromised system. Figure 11 provides an overview of the core logic behind DarkWisp,\r\nshowcasing its structure and functionality. \r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 11 of 41\n\nFigure 11. DarkWisp execution flow\r\nThe malware collects extensive information about the compromised system to create a detailed profile (Figure 12).\r\nIt determines whether the user has administrative privileges, checks for membership in a corporate domain, and\r\nidentifies the presence of cryptocurrency wallets or VPN software by scanning specified directories and\r\napplications. It also gathers data about the system's operating environment, including public IP address,\r\ngeographic location, installed antivirus products, firewall status, and system uptime. This information is compiled\r\ninto a structured format and transmitted to the C\u0026C server.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 12 of 41\n\nFigure 12. DarkWisp data exfiltration\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 13 of 41\n\nThe malware implements a dual-channel C\u0026C communication strategy. The primary channel operates over TCP\r\nport 8080, which is used for three purposes:\r\n1. Sending initial system reconnaissance data (including computer name, user privileges, OS details,\r\ncryptocurrency wallet presence, VPN status, and antivirus information)\r\n2. Maintaining a persistent connection through a PING mechanism\r\n3. Receiving Base64-encoded commands from the C\u0026C server\r\nThe secondary channel operates over HTTPS port 8081 and serves as a redundant path specifically for exfiltrating\r\ncommand execution results. When a command is executed, the output is sent through both the TCP connection on\r\nport 8080, encoded as a Base64 string, and transmitted via HTTPS GET request to port 8081 using the endpoint\r\n/receive_result. This dual-channel approach for command results ensures reliable delivery of command outputs\r\nback to the C\u0026C server, even if one channel becomes unavailable. Figure 13 shows the network traffic sent by the\r\nmalware over TCP on port 8080.\r\nFigure 13. DarkWisp backdoor Network communication\r\nOnce the malware exfiltrates reconnaissance and system information to the C\u0026C server, it enters a continuous\r\nloop waiting for commands. The malware accepts commands through a TCP connection on port 8080, where\r\ncommands arrive in the format COMMAND|\u003cbase64_encoded_command\u003e.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 14 of 41\n\nFigure 14. DarkWisp command execution\r\nEach DarkWisp backdoor stub has a unique build identifier, which the C\u0026C server uses upon establishing a\r\nsuccessful connection. The server then sends specific commands tailored to the corresponding build. In this case,\r\nthe build identifier is encrypthub (Figure 15), and the server issues a predefined command, whoami, encoded as\r\nCOMMAND|d2hvYW1p.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 15 of 41\n\nFigure 15. Payload build\r\nIn Figure 16 below, we show that this configuration is stored on the C\u0026C server.\r\nFigure 16. C\u0026C server configuration\r\nThe malware decodes this Base64-encoded command and executes it using the Invoke-Expression cmdlet. The\r\noutput of the executed command is formatted as RESULT|\u003cCommand output\u003e and sent back to the server. This\r\nresult is exfiltrated over TCP on port 8080, and optionally over HTTPS on port 8081, for redundancy and evasion\r\n(Figure 17). The main communication loop ensures continuous interaction with the server, handling commands,\r\nmaintaining connectivity, and securely transmitting results.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 16 of 41\n\nFigure 17. Command execution result exfiltration\r\nFigure 18. Execution debug message – Server issues a \"whoami\" command to the malware upon\r\nestablishing a connection\r\nEncryptHub stealers\r\nWe have identified five information stealers in the Water Gamayun arsenal, including three custom PowerShell\r\npayload and two known malware binaries: Stealc and Rhadamanthys Stealer.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 17 of 41\n\nIn a campaign distributing malware via encrypthub[.]org/net, the custom PowerShell-based stealers used were\r\nnamed stealer_module.ps1 and encrypthub_steal.ps1; we refer to it as EncryptHub Stealer variant A. The payloads\r\nserved in 82[.]115[.]223[.]182/payload, the info stealer was named fickle_payload.ps1; we refer to it as\r\nEncryptHub Stealer variant B. In a more recent campaign, we identified another variant named payload.ps1; we\r\nrefer to it as EncryptHub Stealer variant C. These variants exhibit similar functionalities and capabilities, with\r\nonly minor modifications distinguishing them.\r\nAll EncryptHub variants covered in this research are modified versions of the open-source Kematian-Stealer. Also,\r\nthese variants are using the banner shown in Figure 19, unlike the original Kematian-Stealer developed by\r\n“Somali-Devs”, which is no longer available on GitHub.\r\nFigure 19. Encrypthub stealer’s banner\r\nEncryptHub Stealer is distributed through malicious MSI packages or binary malware droppers such as skotes.exe\r\n(SHA256: 079b7f03c727de92c3fcb7d3b9b9fea6d1e9ffdcd60dc9a360af90ce7b4b5cc6), WEXTRACT.EXE.MUI\r\n(SHA256: 5752efa219c7e42cb104917f38c146e1f747d14230be0e64a5e87c20e82075bb), and axplong.exe\r\n(SHA256: 2a5f9198f1e563688a2081b746bdaf48d897ec0ae96dfafc15cd5cd52c25e8f2). These droppers deploy\r\nand execute various other stealers, including Lumma Stealer and Amadey. EncryptHub’s execution flow and\r\narchitecture is shown in Figure 20.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 18 of 41\n\nFigure 20. EncryptHub stealer - Execution flow and architecture\r\nEncryptHub Stealer Variant A\r\nName\r\nstealer_module.ps1\r\nencrypthub_steal.ps1\r\nMD5\r\n2f8bf3e5b6cbdb0c8e5935b078711867\r\n1fbe357c26133a4b39b96fdd2c48f1ae\r\nSHA-1\r\nCa4fea2deacb9665461eb74b6422b137326c0d76\r\n57ab6bdbb41289f3c8983d5b48fc98c08782ed1f\r\nSHA-256\r\nB29e630b9c70b0daaba4f83489494444c04c7a470b9c24eb4ddffb6cd7cf05ff\r\n677601f72181c53541f850248dd0904153ea62458489d7aa782149b93399ebd8\r\nSize\r\n368111 bytes\r\n371740 bytes)\r\nFile type PowerShell\r\nTable 5. EncryptHub Stealer Variant A\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 19 of 41\n\nUpon execution, the malware collects extensive system information, including antivirus software, installed\r\nsoftware, network adapters, running applications, and more. It also extracts sensitive data such as Wi-Fi\r\npasswords, Windows product keys, clipboard history, and session data from various messaging clients, VPN\r\nclients, VNC clients, FTP clients, and password managers. Additionally, it collects files from user directories\r\nbased on these specific keywords and extensions:\r\n$keywords = @(\"2fa\", \"acc\", \"account\", \"auth\", \"backup\", \"bank\", \"binance\", \"bitcoin\", \"bitwarden\", \"btc\",\r\n\"casino\", \"code\", \"coinbase \", \"crypto\", \"dashlane\", \"discord\", \"eth\", \"exodus\", \"facebook\", \"funds\", \"info\",\r\n\"keepass\", \"keys\", \"kraken\", \"kucoin\", \"lastpass\", \"ledger\", \"login\", \"mail\", \"memo\", \"metamask\", \"mnemonic\",\r\n\"nordpass\", \"note\", \"pass\", \"passphrase\", \"proton\", \"paypal\", \"pgp\", [...])\r\n$allowedExtensions = @(\"*.jpg\", \"*.png\", \"*.rdp\", \"*.txt\", \"*.doc\", \"*.docx\", \"*.pdf\", \"*.csv\", \"*.xls\", \"*.xlsx\",\r\n\"*.ldb\", \"*.log\", \"*.pem\", \"*.ppk\", \"*.key\", \"*.pfx\")\r\nThe following Figure 21 illustrates how the malware fingerprints a victim machine.\r\nFigure 21. EncryptHub Variant A - System information gathering\r\nThe malware then sends the collected system information to the attacker's C\u0026C server (Figure 22), unlike\r\nKematian stealer, which used Discord for exfiltration, Figure 23 shows the HTTP request used to exfiltrate system\r\ninformation.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 20 of 41\n\nFigure 22. Collection and exfiltration of system information\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 21 of 41\n\nFigure 23. HTTP request used to exfiltrate system information\r\nAfter transmitting the system information, the malware proceeds to initiate the stealing process. It gathers\r\nadditional data such as browser credentials, clipboard content, and other sensitive information. This data is then\r\ncompressed into a ZIP archive and uploaded to the attacker's C\u0026C server (Figure 24). Figure 25 shows the HTTP\r\nrequest used to exfiltrate the stolen data.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 22 of 41\n\nFigure 24. Achieving and exfiltrating collected data\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 23 of 41\n\nFigure 25. HTTP request used to exfiltrate collected data\r\nIn this variant, we have identified the use of LOLBins technique (Figure 26), which attackers tend to utilize to\r\ncarry out malicious activities, blending their actions with normal system operations to evade detection.\r\nIn this case, the malware loads IntelliJ's runnerw.exe – renamed to invoker.exe (SHA256:\r\n91aa7642a301ad6f46a6e466d89b601270aac64b7b6a5661436f7f9b5d804e89) – which is a Windows executable\r\nthat acts as a wrapper process for running and managing programs launched from IntelliJ IDEA.\r\nThe script ensures it runs with administrative privileges and, if successful, decodes and writes a payload to the\r\ncreated C:\\Windows\u003cspace\u003e\\System32 directory. It then uses powershell.exe to run the payload with hidden\r\nexecution and bypasses standard execution policies, downloading and executing a remote script. This technique\r\neffectively evades detection by abusing the inherent trust in system binaries and directories, combining script\r\nexecution and network-based payload delivery to carry out its objectives stealthily.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 24 of 41\n\nFigure 26. LOLBins technique\r\nFigure 27 below shows the execution of the PowerShell script using the renamed file invoker.exe, leveraging the\r\nLOLBins technique.\r\nFigure 27. PowerShell execution via LOLBins technique\r\nEncryptHub Stealer Variant B\r\nName fickle_payload.ps1\r\nMD5 3371da6397159dbced2794c12aeb80c6\r\nSHA-1 291ed2eb864c95ba5495ca415efd1b071362ec7b\r\nSHA-256 899d0b75e7eb3250246f709ad8aa32a8634f536153a3d2eaa3b5a9d9c2690168\r\nSize 28490240 bytes\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 25 of 41\n\nFile type PowerShell\r\nTable 6. EncryptHub Stealer Variant B\r\nThis stealer variant has been identified in a campaign hosted on the C\u0026C server at 82[.]115[.]223[.]182. In Figure\r\n28, we show the debug execution message of EncryptHub Variant B.\r\nWhile there are code similarities between this version and the Kematian stealer, the malware author has made\r\nsignificant modifications. They have removed some functions and introduced new capabilities: This includes\r\nautomated collection techniques and obfuscation methods like Base64 encoding to encode collected file name and\r\nbuild type (Figure 29), the extraction of collected information to remote server over port 8081 (Figures 30 and\r\n31), and the sending of notification messages to the attacker via Telegram (Figures 32 and 33). This stealer variant\r\nis designed to collect data, like the previously mentioned stealers.\r\nFigure 28. EncryptHub Variant B Stealer - Execution\r\nFigure 29. EncryptHub Variant B collects system information\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 26 of 41\n\nFigure 30. Constructing the HTTPS to upload the collected information\r\nFigure 31. Extracting the collected information to the attacker\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 27 of 41\n\nFigure 32. Constructing the Telegram notification request (associated HTTP request)\r\nFigure 33. Telegram notification\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 28 of 41\n\nEncryptHub Stealer Variant C\r\nName payload.ps1\r\nMD5 1c34b88280d660051b69ccb40660e71f\r\nSHA-1 d63a8c0a00fb1c68450da7cc19a08a6ed96791dc\r\nSHA-256 49a552d3adbcad9f5ac70151b48a4edc2ae1d4094a1ea9d944785cee8b4319d7\r\nSize 28504756 bytes\r\nFile type PowerShell\r\nTable 7. EncryptHub Stealer Variant C\r\nVariant C (Table 7) is the latest version of the script, introducing modifications that change how data is exfiltrated\r\nto the C\u0026C server (Figure 34). Notably, it removes Telegram-based data exfiltration, which has been replaced\r\nwith direct HTTPS exfiltration to a hardcoded attacker-controlled server, hxxps[:]//malwarehunterteam[.]net.\r\n(There is no connection between this server and the similarly-named group of independent security researchers.)\r\nThis shift eliminates the reliance on third-party messaging services and allows the attacker to maintain full control\r\nover stolen data. \r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 29 of 41\n\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 30 of 41\n\nFigure 34. EncryptHub Stealer Variant C - Stolen data statistics creation logic\r\nIn Figure 35, we show how the malware transmits stolen data statistics to its C\u0026C server. The traffic contains\r\nmultiple Base64-encoded parameters, which include the victim's system details and the count of stolen items, such\r\nas passwords, cookies, cryptocurrency wallets, and messaging credentials. Each parameter is individually encoded\r\nand appended to the query string after the /send_notification? endpoint, with the request being sent over port\r\n8081. This variant’s stolen file exfiltration mechanism and other features are similar to those in Variant B.\r\nFigure 35. EncryptHub Stealer Variant C - Stolen data statistics exfiltration\r\nEncryptHub infrastructure\r\nDuring our research, we identified new and active infrastructure utilized by EncryptHub, which has been under\r\ndevelopment on 82[.]115.223[.]182. Its login page is seen in Figure 36. \r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 31 of 41\n\nFigure 36. EncryptHub login page\r\nOur investigation revealed that the threat actor leverages this domain to host a variety of malicious payloads\r\n(Figure 37), including encrypted.ps1 and fickle_payload.ps1, as well as data collected from compromised\r\nmachines, and the server-side implementation of the C\u0026C infrastructure. The file and directory tree structure used\r\nin this campaign is shown in Figure 38.\r\nFigure 37. EncryptHub payloads\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 32 of 41\n\nFigure 38. EncryptHub C\u0026C tree structure\r\nMoreover, we discovered that the threat actor uses HTML pages that appear blank in the browser but contain\r\nhidden JavaScript code when inspected. This concealed JavaScript is designed to download additional malicious\r\nfiles, including backdoors such as DarkWisp, stealers like Stealc and Rhadamanthys, as well as AnyDesk\r\nsoftware, which is used for remote access.\r\nFigure 39 illustrates the JavaScript code that was used to execute a PowerShell command, which in turn\r\ndownloads another PowerShell script responsible for downloading and executing AnyDesk.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 33 of 41\n\nFigure 39. Remote PowerShell execution via JavaScript within empty HTML to download AnyDesk\r\nFurthermore, our investigation revealed that C\u0026C server operates on the same server (Figure 40), specifically on\r\nport 8081. We successfully obtained the C\u0026C source code, configuration files, victim list, and additional relevant\r\ndata. \r\nFigure 40. Server-side C\u0026C content\r\nC\u0026C server implementation\r\nName Handler.py\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 34 of 41\n\nSHA-256 724aa4d5e3fb96be0a4a01a74324e7123d3281d7e3dce0f79ae717c5a7383ef1\r\nSize 15504 bytes\r\nFile type Python\r\nTable 8. handle.py script\r\nThe handle.py script (Table 8) functions as the server-side component of a C\u0026C server for the DarkWisp\r\nbackdoor, facilitating management and communication with compromised client machines.\r\nThe primary server function initiates a multi-threaded TCP server that listens for incoming client connections on\r\ndesignated HOST and PORT addresses (Figure 41). Leveraging the socket library, the server binds to its assigned\r\naddress and begins listening with a connection backlog set to 5. When a new client connection is accepted, a\r\ndedicated thread is spawned to manage client interactions, ensuring that the server can handle multiple\r\nconnections simultaneously. Additionally, the server launches a Flask-based web server on port 8081 to manage\r\nHTTP requests, along with a periodic ping function (Figure 42).\r\nFigure 41. C\u0026C main function\r\nFigure 42. send_periodic_ping function\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 35 of 41\n\nUpon establishing a successful connection with the client, the server can receive three distinct types of messages\r\nprefixed with INFO|, COMMAND|, or PING (Figure 43). Upon receipt of client information, the server is\r\ndesigned to automatically send a notification to the attacker via Telegram (Figure 44). Figure 45 demonstrates how\r\nit sends a notification message with system information to the attacker via Telegram.\r\nFigure 43. Handling client messages\r\nFigure 44. Handling INFO messages from clients\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 36 of 41\n\nFigure 45. Prepare the information to send a notification message to Telegram\r\nFigure 46. Telegram notification function\r\nMoreover, the malware author has the capability to send Base64-encoded remote commands to the victim's\r\nmachine (Figure 47). This technique aims to evade detection mechanisms by obfuscating the commands, while\r\nensuring the results are transmitted back to the attacker effectively.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 37 of 41\n\nFigure 47. Sending remote commands to the infected machine\r\nFigure 48. Handling COMMAND messages from clients\r\nFurthermore, we were able to obtain a comprehensive list of all infected machines (Figure 49). This was achieved\r\nby accessing specific URLs provided by the server via /list_all_clients or /list_clients_by_build (Figure 50). These\r\nendpoints facilitate the efficient retrieval of detailed information about compromised clients.\r\nFigure 49. List of compromised machines from the C\u0026C server\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 38 of 41\n\nFigure 50. List_all_clients function\r\nWe were also able to locate the stored information from the compromised machines on the C\u0026C server (Figure\r\n51).\r\nFigure 51. Information from the compromised machines\r\nConclusion\r\nWater Gamayun’s use of various delivery methods and techniques in its campaign, such as provisioning malicious\r\npayloads through signed Microsoft Installer files and leveraging LOLBins, highlights their adaptability in\r\ncompromising victims’ systems and data. Throughout this analysis, we have detailed the arsenal of tools utilized\r\nby Water Gamayun, including custom backdoors like SilentPrism and DarkWisp, as well as information stealers\r\nsuch as EncryptHub Stealer variants and known malware like Stealc and Rhadamanthys. Their intricately\r\ndesigned payloads and C\u0026C infrastructure enable the threat actor to maintain persistence, dynamically control\r\ninfected systems, and obfuscate their activities. By gaining access to the components and modules of their C\u0026C\r\nservers, we were able to conduct a comprehensive analysis of their architecture, functionality, and evasion\r\ntechniques.\r\nIt is essential for organizations to stay informed about such evolving threats and understand the importance of\r\nadvanced threat detection and robust cybersecurity measures. By keeping abreast of the latest threat intelligence\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 39 of 41\n\nand adopting proactive defense strategies, organizations can better protect themselves against actors like Water\r\nGamayun and mitigate potential risks.\r\nProactive security with Trend Vision One™\r\nOrganizations can protect themselves from attacks such as those employed by this threat actor with Trend Vision\r\nOneopen on a new tab™products – the only AI-powered enterprise cybersecurity platform that centralizes cyber\r\nrisk exposure management, security operations, and robust layered protection. This comprehensive approach helps\r\nyou predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed\r\nby decades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it\r\ndelivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security\r\nleaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision\r\nOne, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a\r\nstrategic partner for innovation.\r\nTrend protections for CVE-2025-26633\r\nThe following protections have been available to Trend Micro customers: \r\nTrend Vision One™ - Network Security\r\nTippingPoint Intrusion Prevention Filters\r\n45359: TCP: Backdoor.Shell.DarkWisp.A Runtime Detection\r\n45360: HTTP: Trojan.Shell.EncryptHubStealer.B Runtime Detection\r\n45361: HTTP: Backdoor.Shell.SilentPrism.A Runtime Detection\r\n45594: HTTP: Trojan.Shell.EncryptHubStealer.B Runtime Detection (Notification Request)\r\n45595: HTTP: Trojan.Shell.MSCEvilTwin.A Runtime Detection (Payload - Server Response)\r\nHunting Queries \r\nTrend Vision One Search App\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.   \r\nWater Gamayun Malware Arsenal\r\nmalName: (*RHADAMANTHYS* OR *FICKLESHADE* OR *SILENTPRISM* OR *DARKWISP*) AND\r\neventName: MALWARE_DETECTION AND LogType: detection\r\nEncryptHub Stealer Module execution\r\neventId:1 AND processFilePath:*powershell.exe AND processCmd:*encrypthub_steal.ps1\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabledopen\r\non a new tab.\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 40 of 41\n\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this entry can be found hereopen on a new tab.\r\nSource: https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nhttps://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html\r\nPage 41 of 41\n\n https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html  \nFigure 30. Constructing the HTTPS to upload the collected information\nFigure 31. Extracting the collected information to the attacker\n  Page 27 of 41",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html"
	],
	"report_names": [
		"deep-dive-into-water-gamayun.html"
	],
	"threat_actors": [
		{
			"id": "4e70c7c6-264e-454d-865e-59eebd9c5253",
			"created_at": "2025-05-29T02:00:03.204306Z",
			"updated_at": "2026-04-10T02:00:03.859941Z",
			"deleted_at": null,
			"main_name": "Water Gamayun",
			"aliases": [],
			"source_name": "MISPGALAXY:Water Gamayun",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "af10aec6-36a8-4bdb-ba47-8f75b6a4aa4b",
			"created_at": "2025-03-07T02:00:03.797427Z",
			"updated_at": "2026-04-10T02:00:03.821929Z",
			"deleted_at": null,
			"main_name": "Larva-208",
			"aliases": [
				"EncryptHub"
			],
			"source_name": "MISPGALAXY:Larva-208",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434431,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/48253f3e8272d2450377931f927e76cc9cea55db.pdf",
		"text": "https://archive.orkl.eu/48253f3e8272d2450377931f927e76cc9cea55db.txt",
		"img": "https://archive.orkl.eu/48253f3e8272d2450377931f927e76cc9cea55db.jpg"
	}
}